CFSSL is CloudFlare’s open source PKI/TLS tool for signing, verifying, and bundling TLS certificates on Linux, macOS and Windows machines. By picking the right chain of certificates, CFSSL solves the balancing act between performance, security, and compatibility. In this guide we will look at how you can install CFSSL on Linux and macOS systems.
CFSSL consists of:
- A set of packages useful for building custom TLS PKI tools
- The cfssl program, which is the canonical command line utility using the CFSSL packages.
- The multirootca program, which is a certificate authority server that can use multiple signing keys.
- The mkbundle program is used to build certificate pool bundles.
- The cfssljson program, which takes the JSON output from the cfssl and multirootca programs and writes certificates, keys, CSRs, and bundles to disk.
There are two standard installation methods that can be used for Linux and macOS. One is downloaded the binary packages that have been compiled for you by developers. The other option is using Go to pull from source and compile it yourself.
Install from source
For the build installation method you need Golang which can be installed with the commands below.
--- Linux ---
wget -q -O - https://raw.githubusercontent.com/canha/golang-tools-install-script/master/goinstall.sh | bash
--- macOS ---
curl https://raw.githubusercontent.com/canha/golang-tools-install-script/master/goinstall.sh | bashInstall git:
--- CentOS / Fedora ---
$ sudo yum -y install git gcc
--- Ubuntu / Debian ---
$ sudo apt update
$ sudo apt install gitAfter installing Go, you can then build and install all of the utility programs (including cfssl, cfssljson, and mkbundle among others).
source ~/.bashrc
go get -u github.com/cloudflare/cfssl/cmd/...The binary packages will be available in your Go home directory and can be invoked from the terminal directly if the directory is in your PATH.
$ ls ~/go/bin/
cfssl cfssl-bundle cfssl-certinfo cfssljson cfssl-newkey cfssl-scan mkbundle multirootcaYou can also copy the binary packages to directory in your PATH.
sudo cp ~/go/bin/* /usr/local/binBinary installation method
If you prefer binary installation method each tool will need to be installed independent of others. We’ve covered installation of few programs that come with cfssl but others can be installed as you wish.
Install cfssl program
Install on Linux:
For installation on a Linux machine you should have the wget command line tool installed.
VERSION=$(curl --silent "https://api.github.com/repos/cloudflare/cfssl/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"] )".*/1/')
VNUMBER=${VERSION#"v"}
wget https://github.com/cloudflare/cfssl/releases/download/${VERSION}/cfssl_${VNUMBER}_linux_amd64 -O cfssl
chmod x cfssl
sudo mv cfssl /usr/local/binInstall on macOS:
VERSION=$(curl --silent "https://api.github.com/repos/cloudflare/cfssl/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"] )".*/1/')
VNUMBER=${VERSION#"v"}
wget https://github.com/cloudflare/cfssl/releases/download/${VERSION}/cfssl_${VNUMBER}_darwin_amd64 -O cfssl
chmod x cfssl
sudo mv cfssl /usr/local/binVerify installation was successful by checking version number:
$ cfssl version
Version: 1.4.1
Runtime: go1.12.12Installing cfssljson program
Install on Linux:
VERSION=$(curl --silent "https://api.github.com/repos/cloudflare/cfssl/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"] )".*/1/')
VNUMBER=${VERSION#"v"}
wget https://github.com/cloudflare/cfssl/releases/download/${VERSION}/cfssljson_${VNUMBER}_linux_amd64 -O cfssljson
chmod x cfssljson
sudo mv cfssljson /usr/local/bin
cfssljson -versionInstall on macOS:
VERSION=$(curl --silent "https://api.github.com/repos/cloudflare/cfssl/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"] )".*/1/')
VNUMBER=${VERSION#"v"}
wget https://github.com/cloudflare/cfssl/releases/download/${VERSION}/cfssljson_${VNUMBER}_darwin_amd64 -O cfssljson
chmod x cfssljson
sudo mv cfssljson /usr/local/bin
cfssljson -versionInstalling mkbundle
This is a program used to build certificate pool bundles.
Install on Linux:
VERSION=$(curl --silent "https://api.github.com/repos/cloudflare/cfssl/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"] )".*/1/')
VNUMBER=${VERSION#"v"}
wget https://github.com/cloudflare/cfssl/releases/download/${VERSION}/mkbundle_${VNUMBER}_linux_amd64 -O mkbundle
chmod x mkbundle
sudo mv mkbundle /usr/local/binInstall on macOS:
VERSION=$(curl --silent "https://api.github.com/repos/cloudflare/cfssl/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"] )".*/1/')
VNUMBER=${VERSION#"v"}
wget https://github.com/cloudflare/cfssl/releases/download/${VERSION}/mkbundle_${VNUMBER}_darwin_amd64 -O mkbundle
chmod x mkbundle
sudo mv mkbundle /usr/local/binInstalling multirootca
Installation on Linux:
VERSION=$(curl --silent "https://api.github.com/repos/cloudflare/cfssl/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"] )".*/1/')
VNUMBER=${VERSION#"v"}
wget https://github.com/cloudflare/cfssl/releases/download/${VERSION}/multirootca_${VNUMBER}_linux_amd64 -O multirootca
chmod x multirootca
sudo mv multirootca /usr/local/binYou can get a list of all other packages available on the project’s github page.
See our next article on How to build Private PKI/TLS CA for Certificates Management With CloudFlare CFSSL
More reading:
Install Metasploit Framework on CentOS
Connect To VPN Server with Cisco AnyConnect from Linux Terminal
